Is equifaxsecurity2017.com legit?

Big news that Equifax leaked personal info of 143 million Americans. In the wake of the news, people were directed to check their status at the website www.equifaxsecurity2017.com. The domain name sounded fishy, in the same sense as someone claiming that ebay-security-alerts.com is an official Ebay site. So a lot of people are asking whether equifaxsecurity2017.com is legit.

Two questions need to be answered to determine the safety of a website:

Is the domain really owned by the business as is claimed in the page contents?

Are you really connecting to the website that you entered in the address bar?

We all learned that images and logos on the page cannot be trusted to determine the legitimacy of a website. So what can we trust?

The green lock that appears to the left of the address bar in your browser.

Whenever you see a green lock, it means the web page you are seeing indeed did come from the domain you’ve entered into the address bar. It answers question 2, but provides no assurance that the domain belongs to the business as the page claims. To answer question 1, the web site needs a stronger SSL certificate that also certifies the business ownership of the domain. When the stronger version of SSL certificate is presented by a domain, you’ll see the name of the business by the green lock.

When I loaded equifaxsecurity2017.com in my browser, I saw a green lock but no business name. So I decided to take a look at the SSL certificate (just tap the green lock).

Clicking on the “Certificate information” link reveals that the certificate was issued to ssl511860.cloudflaressl.com!But how come the browser did not complain that the name in the certificate was wrong?

As it turned out, the cloudflare certificate was not issued for one domain, but multiple domains, probably in the hundreds. And equifaxsecurity2017.com was one of them. What I was seeing was a shared, super SSL certificate that certifies the validity of a multitude of domains all in one shot. That feels like a sloppy thing to do for a financial service company.

In the end, is equifaxsecurity2017.com legit? Yes. It is owned and created by Equifax, as reported in mainstream media and linked in its official website. But I’m not assured of web site’s safety.

One Response so far.

After this post was published, the SSL certificate for equifaxsecurity2017.com was updated to a dedicated certificate. But still, it was appalling that a financial services company would use a free, shared SSL certificate in the first place.